Sunday, January 11, 2015

Juniper SRX Probe & Track

Like with the cisco Router & ASA you can  define a probe and track. The juniper SRX probe gives you full access on the  type of probes  and is very advance. The type of probes are;

  • http-get
  • tcp/udp-port-prings
  • icmp-pings
  • etc...
note:  The flexibility of these probes are way greater than any cisco ASA current codeset giving the SRX  much greater control on probes ( aka  IP SLA for cisco folks )


I will demonstrate a very simple icmp-probe check, and if the route to the target is lost, we will inject a new route. In this case, I'm injecting a specific /24 route but the route could be a new default thru a 2nd ISP provider.

1st here's how  we do a basic icmp-probe-type ( interval 1 sec probe-count of 5x , the probe is deem failed when we have a total loss , target = 100.100.100.100 )




The monitor that will make the route adjustments based on the assigned probe


The above should be self explanatory, but if the name probe SOCpup should fail, we will execute a route change to add  dest.net 9.0.0.0/24 and with a next-hop of 192.168.1.99

We can validate this in route table ip monitor status & status of  our active-probes

( notice the failed when our target became unreachable ?  )



( status of an active successful probe )


( route injected due to a fail icmp-probe )






Juniper SRX version 

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)